Credit: Matthew ‘j00ru’ Jurczyk
Privilege escalation bug in Windows CSRSS. Very interesting methods for getting an exploit working: handle free-list spraying by creating/freeing hundreds of consoles, getting data into memory of a process that runs as SYSTEM (utilman.exe) by creating lots of windows with overly long titles, and others.